Cisco DMVPN @ home

Problem

You're a bit of a networking nerd, you've got a Cisco router at home but perhaps you also have one at your parents house...maybe a friend has one as well and eventually you've got a whole load of different networks you've got to look after.

Wouldn't it be easier as a single network? Of course! But what's the easiest way of doing this?

Solution

DMVPN! Dynamic Multipoint VPN. Built on IPSec and multipoint GRE tunnels, this technology can save you some serious hassle when it comes to linking up multiple private networks, but like everything you've got to have some basic requirements:

  • You'll need at least one location with a static IP
  • Every location has a Cisco router capable of DMVPN (I expect this works on other vendors too, but I've not covered it).
  • Different private IP ranges at each location. I like using 10.0.0.0/8 and then carving it up 8 bits at a time in the following fashion: 10.[site].[vlan / segment].[host]/24. This gives 255 possible sites, with 255 possible VLANs per site with 253 hosts per vlan. Sufficient? I hope so. Also keeps it easy because we all live in a yellow...we all love /24 masks.

DMVPN works based on a hub and spoke topology, your hub is what requires the static address but the spokes can have dynamic IPs from your ISP. The spokes make connections to the hub to establish an adjacency. One of the real beauties is that when two of your hubs have to communicate, they use a protocol called NHRP (next hop resolution protocol) to allow them to bring up a dynamic tunnel and talk directly! No hub traversal required!

I'm not going to go into the fine details of exactly how DMVPN works (plenty of that online, and I'm not a CCIE R&S instructor), I'm just going to give some configuration.

Hub configuration:

key chain EIGRP-CHAIN
 key 1
  key-string 0 cisco

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0        
!
!
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac 
 mode tunnel
!
crypto ipsec profile DMVPN
 set transform-set AES_MD5 

interface Tunnel1
 ip address 172.16.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 EIGRP-CHAIN
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 60
 ip nhrp registration timeout 30
 ip nhrp shortcut
 ip nhrp redirect
 ip virtual-reassembly in
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet8
 tunnel mode gre multipoint
 tunnel key 1
 tunnel path-mtu-discovery
 tunnel protection ipsec profile DMVPN
!

router eigrp 1
 network 10.0.0.0 0.0.255.255
 network 172.16.1.0 0.0.0.255
 passive-interface default
 no passive-interface Tunnel1

Common changes required will be:
tunnel source GigabitEthernet8 - This will need changing to your WAN interface.
network 10.0.0.0 0.0.255.255 - This is whatever internal addressing you're using.
Anything with "cisco" in, since these are passwords. The other end will have to match. Note that there are 3 different types of authentication here: EIGRP, NHRP and IPsec, the 3 passwords can be different.

Spoke Configuration:

key chain EIGRP-CHAIN  
 key 1
  key-string 0 cisco

crypto isakmp policy 10  
 hash md5
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0  
!
!
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac  
 mode tunnel
!
crypto ipsec profile DMVPN  
 set transform-set AES_MD5 

interface Tunnel1
 ip address 172.16.1.2 255.255.255.0
 no ip redirects
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 EIGRP-CHAIN
 ip pim nbma-mode
 ip pim sparse-mode
 ip nhrp authentication cisco
 ip nhrp map multicast <hub public ip>
 ip nhrp map 172.16.1.1 <hub public ip>
 ip nhrp network-id 1
 ip nhrp holdtime 60
 ip nhrp nhs 172.16.1.1
 ip nhrp registration timeout 30
 ip nhrp shortcut
 qos pre-classify
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel path-mtu-discovery
 tunnel protection ipsec profile DMVPN
!

router eigrp 1
 network 10.2.0.0 0.0.255.255
 network 172.16.1.0 0.0.0.255
 passive-interface default
 no passive-interface Tunnel1
 eigrp stub connected summary

Common changes required will be:
tunnel source Dialer0 - This will need changing to your WAN interface.
network 10.2.0.0 0.0.255.255 - This is whatever internal addressing you're using.
ip nhrp map multicast <hub public ip> - The IP of the hub router is needed in here.
ip nhrp map 172.16.1.1 <hub public ip> - Same as above.
Anything with "cisco" in, since these are passwords. The other end will have to match. Note that there are 3 different types of authentication here: EIGRP, NHRP and IPsec, the 3 passwords can be different.

That's pretty easy isn't it? We've got some EIGRP on the go because we'll need to share subnets between sites. The 172.16.1.0/24 network is used internally for the DMVPN network and there's some IPsec encryption bolted on for added security.

If you're using a firewall you'll need to allow ESP and isakmp through for the tunnels to come up.

It really is that simple. Yes I could explain what every command actually does. But that's what the rest of the internet is for.